Department of Defense (DoD) employees are downloading unauthorized apps on their work smartphones that violate policy and could also pose “operational and cybersecurity risks to DOD information and information systems,” according to the DoD Inspector General’s Office.

The IG just released a partially redacted management advisory about the use of unauthorized apps on work devices and the potential dangers to national security.

It found that DoD personnel are conducting official business on their work-issued mobile devices using mobile apps in violation of both federal and DoD electronic messaging and records retention policies.

The report explained that “mobile applications that are misused by DoD personnel or are compromised by malicious actors can expose DoD information or introduce malware to DoD systems.”

No apps were mentioned by name, but the IG highlighted broad categories of apps that employees are accessing, including:

• Entertainment apps like streaming, radio, and fantasy football apps

• Personal apps like dating and real estate apps • Games including multi-player games and children’s games

• Shopping apps including luxury yacht dealer apps and consumer rewards apps

• Electronic messaging apps

• Cryptocurrency apps

• Personal business apps like real estate, payroll, and multi-level marketing apps

• Third-party Virtual Private Network (VPN) apps

• Printer apps

While some of the apps may seem harmless, the report points out that the apps may pose a risk as they often require access to a device’s contact list, messaging platforms, microphone, location data, camera, calendar, or other personal information.

Still, some of the unauthorized apps did have “known cybersecurity risks, operational security risks, potentially inappropriate content, or represent unacceptable use of DoD mobile devices.”

One such app had ties to a Chinese drone maker.

In addition, the IG found that DoD does not have adequate controls over the use of mobile apps. The IG said the department does not provide adequate training on policies and lacks a comprehensive device and application policy that addresses cybersecurity and operational risks.

The report was conducted after an investigation stemmed from questions by Senate Judiciary Committee Chairman Dick Durbin (D-IL) last year. Senator Durbin was concerned that texts were deleted by Pentagon officials related to the Jan. 6, 2021 attack on the U.S. Capitol.

In a statement, Senator Durbin said, “Today’s report raises more questions than it answers. Was the disappearance of critical information related to the January 6 insurrection a result of bad faith, stunning incompetence, or outdated records management policies? We still do not know. But this report illustrates the key vulnerabilities and failures that the Defense Department needs to immediately address.”